Bug 969883

Summary: [RFE] Support of forests in the AD provider
Product: Red Hat Enterprise Linux 7 Reporter: Dmitri Pal <dpal>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED CURRENTRELEASE QA Contact: Kaushik Banerjee <kbanerje>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: Colin.Simpson, grajaiya, jgalipea, pbrezina
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.10.0-10.el7.beta2 Doc Type: Enhancement
Doc Text:
Feature: The SSSD is able to retrieve info about and authenticate as users from Active Directory's trusted domain in a single forest. Reason: This is expected functionality in a large AD environments, especially geographically distributed with multiple domains. Result (if any): By using a fully-qualified user or group name (Administrator@trusted.domain), the SSSD is able to serve users and groups from trusted domains in a similar fashion to the local domain.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 13:31:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitri Pal 2013-06-02 21:58:32 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/364

This ticket changed its shape.
The CIFS client and server side tickets have been forked out as separate tickets.
https://fedorahosted.org/sssd/ticket/1534
https://fedorahosted.org/sssd/ticket/1573

The scope of this ticket is reduced to AD provider must support trusted domains in the similar way how ipa provider does it.
Comment 1 Jakub Hrozek 2013-06-06 09:48:01 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1557
Comment 2 Jakub Hrozek 2013-06-06 09:58:51 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1558
Comment 3 Jakub Hrozek 2013-06-06 22:32:04 UTC 
Fixed upstream.
Comment 4 Colin.Simpson 2013-07-13 01:49:15 UTC 
Did this make it into F19 sssd-ad-1.10.0-16.fc19 ?

As this doesn't seem to work on F19, so I presume not there yet?

Or not sure this bz covers user look up in trusted AD domains (RFC2307 attributes throughout the forest).
Comment 5 Jakub Hrozek 2013-07-15 08:48:37 UTC 
The feature is in 1.10. I must say we haven't really tested the trusted domains with RFC2307 attributes much, but mostly ID-mapped SIDs. Can you describe your scenario in more detail? Does SSSD simply not see the users?

Couple of caveats to think about:
 * only trusted domains from the same forest are recognized
 * you need to query the users using fully qualified name (user or trusted\\user
 * in order to leverage POSIX attributes and not ID map, you need to set ldap_id_mapping=False in the sssd.conf in the domain section.

Feel free to start a thread on the sssd-users list as well.
Comment 6 Jakub Hrozek 2013-10-04 13:25:40 UTC 
Temporarily moving bugs to MODIFIED to work around errata tool bug
Comment 8 Kaushik Banerjee 2014-01-20 11:36:36 UTC 
Marking as verified in 1.11.2-27.el7


Report from beaker job run:

   [   PASS   ]      ad_forest_01  bz 1002592 1033096 969882 Lookup users and groups
   [   PASS   ]      ad_forest_02  bz 1002597 User and group memberships from different domains
   [   FAIL   ]      ad_forest_03  bz 1028039 Enumerate users and groups
   [   PASS   ]      ad_forest_04  bz 969882 Use flatname in the fully qualified format
   [   PASS   ]      ad_forest_05  bz 1053106 subdomain do not inherit fallbacks and overrides settings
   [   PASS   ]      ad_forest_auth_01  Auth users from all domains
   [   PASS   ]      ad_forest_auth_02  change password for all users from all domains
   [   PASS   ]      ad_forest_auth_03  bz 924404 support of enterprise principals
   [   PASS   ]      ad_access_filter  Add users and groups
   [   PASS   ]      ad_access_filter_01  access_provider defaults to ad
   [   PASS   ]      ad_access_filter_02  access_provider=ad without any other options denies expired users
   [   PASS   ]      ad_access_filter_03  An expired user, even though he matches the filter, is denied access
   [   PASS   ]      ad_access_filter_04  access_provider=ad without any other options allows non-expired users
   [   PASS   ]      ad_access_filter_05  ad_access_filter=memberOf=cn=admins,ou=groups,dc=example,dc=com
   [   PASS   ]      ad_access_filter_06  ad_access_filter=(cn=user)
   [   PASS   ]      ad_access_filter_07  ad_access_filter=dom1 (memberOf=cn=admins,ou=groups,dc=example,dc=com)
   [   PASS   ]      ad_access_filter_08  ad_access_filter=DOM dom2 (memberOf=cn=admins,ou=groups,dc=example,dc=com)
   [   PASS   ]      ad_access_filter_09  bz 1032983 ad_access_filter=FOREST EXAMPLE.COM (memberOf=cn=admins,ou=groups,dc=example,dc=com)
   [   PASS   ]      ad_access_filter_10  bz 1033133 invalid ad_access_filter
   [   PASS   ]      ad_forest_simple_001  simple_allow_users=user1
   [   PASS   ]      ad_forest_simple_002  bz 991055 simple_allow_users=user1,user2,user3.com
   [   PASS   ]      ad_forest_simple_003  bz 1048102 simple_allow_users=DOMAIN1\user1,DOMAIN2\user2,CHILD1.DOMAIN1\user3
   [   PASS   ]      ad_forest_simple_004  simple_deny_users=user2,user3.com
   [   PASS   ]      ad_forest_simple_005  simple_allow_groups=group1,group2,group3.com
   [   PASS   ]      ad_forest_simple_006  simple_allow_groups=DOMAIN\group
   [   PASS   ]      ad_forest_simple_007  bz 982619 simple_deny_groups=group1
   [   PASS   ]      ad_forest_simple_008  Permit All Users
   [   PASS   ]      ad_forest_simple_09  Deny All Users
Comment 9 Ludek Smid 2014-06-13 13:31:32 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.